From 5a54f1aec2d9b739c95ed862661efe7b8ff75d31 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 31 Aug 2018 10:46:20 -0400
Subject: Fixes #3460 -- deprecate OpenSSL 1.0.1 (#4427)

* Fixes #3460 -- deprecate OpenSSL 1.0.1

* We need to import warnings

* flake8

* words are hard

* rephrase
---
 CHANGELOG.rst                                       |  4 ++++
 docs/installation.rst                               |  4 ++++
 src/cryptography/hazmat/bindings/openssl/binding.py | 16 ++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c6d0d93c..a614df84 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,6 +8,10 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by
+  the OpenSSL project. At this time there is no time table for dropping
+  support, however we strongly encourage all users to upgrade or install
+  ``cryptography`` from a wheel.
 * Added initial :doc:`OCSP </x509/ocsp>` support.
 
 .. _v2-3-1:
diff --git a/docs/installation.rst b/docs/installation.rst
index d665dbc5..2d9db667 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -30,6 +30,10 @@ OpenSSL releases:
 * ``OpenSSL 1.1.0-latest``
 * ``OpenSSL 1.1.1-latest``
 
+.. warning::
+    Cryptography 2.4 has deprecated support for OpenSSL 1.0.1.
+
+
 Building cryptography on Windows
 --------------------------------
 
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index ec74d4cf..d52619dc 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -7,6 +7,7 @@ from __future__ import absolute_import, division, print_function
 import collections
 import threading
 import types
+import warnings
 
 from cryptography import utils
 from cryptography.exceptions import InternalError
@@ -150,9 +151,24 @@ class Binding(object):
             _openssl_assert(cls.lib, res == 1)
 
 
+def _verify_openssl_version(lib):
+    if (
+        lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
+        not lib.CRYPTOGRAPHY_IS_LIBRESSL
+    ):
+        warnings.warn(
+            "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
+            "project, please upgrade. A future version of cryptography will "
+            "drop support for it.",
+            DeprecationWarning
+        )
+
+
 # OpenSSL is not thread safe until the locks are initialized. We call this
 # method in module scope so that it executes with the import lock. On
 # Pythons < 3.4 this import lock is a global lock, which can prevent a race
 # condition registering the OpenSSL locks. On Python 3.4+ the import lock
 # is per module so this approach will not work.
 Binding.init_static_locks()
+
+_verify_openssl_version(Binding.lib)
-- 
cgit v1.2.3